Your data, our priority - how the Money Alive team protects your data

Posted on 18th April 2019

Dale Mooney, Infrastructure Manager

Designed from the ground up with security in foremost mind

The current, 4th generation Money Alive Adviser Portal application, has been built from the ground up and is solely owned property of Money Alive Limited. A key reason for developing the platform from scratch, rather than starting with an open source CMS or similar, was for security reasons - ‘off the shelf’ CMS’s are great in that they can be provisioned quickly and aid in development speed but are often prone to known vulnerabilities becoming the target of automated attacks.

Infrastructure fit for 2019

Gone are the days where application security was implemented on-site with expensive big black boxes. Money Alive takes full advantage for SaaS security products and has adopted Amazon’s’ AWS platform as our infrastructure partner of choice. Their track record of providing both a secure and highly scalable platform gives us unparalleled configuration options and support in further developing the Adviser Portal platform in any direction needed.

We make use of Cloudflare WAF (Web Application Firewall) that sits between you and the Adviser Portal. It helps us mitigate DDoS attacks, and other malicious traffic, from compromising customer data, such as user credentials and applies IP whitelisting to control traffic to the Adviser Portal.

We follow and implement all of Amazon’s ‘trusted adviser’ recommendations and have 24-7 protection from their guard-duty service. This provides continuous monitoring and includes intelligent threat detection.

All our servers and databases are updated automatically with security releases and minor version updates and are done using a rolling method to prevent downtime.

We use 2-factor authentication (2FA) and strong password policies on all the services we use. Staff members who have access to the Adviser Portal have 2-factor authentication (2FA) enabled by default.

What about data encryption?

Our databases use the industry standard AES-256 encryption algorithm to encrypt at rest. Any sensitive data that we store in our database is also encrypted using AES-256. All data delivered and received from our users is served 100% over Hypertext Transfer Protocol Secure (HTTPS).

We take regular backups that are also stored AES-256 encrypted at rest and data stored in our CDN is stored with AES-256 encryption at rest also.

We only store data that is essential to the continued smooth running of our applications.

We only store data for as long as we need it.

We store access logs for 30 days and we use them to help protect us against attacks and to allow us to find potential threats and perform any debugging that is required.

But you still have third-party partners right?

We do, but only in strict circumstances. We’re very selective with our data-processing partners and only select speciality providers in the roles of security and system monitoring.

Our partners are always equally committed to providing adequate/high levels of protection. We check and enforce this by requiring them to be part of the EU-US PrivacyShield Scheme and favour services with ISO 27001 certification and we insist on having data processing agreements in place with us obliging them to protect your information. In all cases, we ensure that any transfer of your information is compliant with data protection law.

We have two third-party processors that operate outside of the EEA. We’re very selective with our data-processing partners and only select speciality providers in the roles of security and system monitoring.

Cloudflare - Provides Enterprise level WAF (Web Application Firewall) services as well as DDoS protection. Cloudflare has access to user IP address and details all page-views. They do not have access to data such as names or contact information.

Intercom - One of the world’s leading support platforms, chosen for their commitment to security and data protection. Intercom allows us to provide a full-service help desk with articles, emails and our popular live chat support.

Intercom provides two distinct roles for our platform

Adviser Portal administrators - To provide this service - Intercom has access to names and contact information available inside the Adviser Portal systems users (administrators).

Clients (viewers) - Intercom only has access to client data in the event they proactively seek our support via help.moneyalive.co.uk, support email or using one of our chatbots, (for example on our corporate site). Intercom stores all information the clients choose to disclose to us, such as their name, email address and the nature of their support query.

Addressing the weakest link

Whether we like it or not, humans are often the cause of most data leaks so designing a process whereby our user access is as secure as the rest of the platform is another priority for us.

Both staff and system users accessing the Adviser Portal platform are subject to an enforced password complexity standard, and credentials are stored using a PBKDF function (bcrypt).

This access is often subject to a valid IP address/range (for staff and Enterprise customers) where access outside of this range will be challenged or blocked outright.

Viewer access to the Money Alive media is never anonymous and requires the end user (client) to authenticate their identity via a temporary access-code. These codes expire after three hours and can only be used once, this feature improves the client experience as they do not have to remember a complex password for a journey that is typically completed in two sessions.

The steering group for information security at Money Alive is made up of the CEO, CTO and infrastructure lead. We have quarterly reviews on current policies and infrastructure as well as monitoring our development roadmap and industry best practices.

We implement a protocol for handling security events that includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies and receive security awareness training.

Just like our extensive media library and platform user-experience, we never consider our infrastructure security complete. We’re dedicated to continuous reviews and improvements throughout the lifetime of our platform - fulfilling our commitment to securing your data as if it was our own.